diff options
author | Vadim Bendebury <vbendeb@chromium.org> | 2022-11-25 18:25:59 -0800 |
---|---|---|
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-12-13 19:07:03 +0000 |
commit | 196b0843e90cfa791123d1fff88eca06721dc64a (patch) | |
tree | c72d7a0557dc76663ba3559a858554653d7923c6 /tests | |
parent | ff29ee63ed52b698afcaa4c2619d7163322a3785 (diff) | |
download | vboot-196b0843e90cfa791123d1fff88eca06721dc64a.tar.gz |
create_new_keys: use single AP RO Verification root key pair
All AP RO verification platform keys must be signed by the same AP RO
verification root key, this is why the root key pair needs to be
created only once, and used for signing key blocks for all PreMP AP RO
verification platform keys.
This patch adds make_arv_root.sh, a script for generating the root
key, and modifies create_new_keys.sh to use the single root key for
signing all generated platform keys.
By default the root key is placed at the top of the root key
directory, from which all key creation scripts are invoked. It is
possible to specify the desired path for the root key to both
make_arv_root.sh and create_new_keys.sh.
Note that the keyset generated for each board still needs to include
the AP RO verification root public key, added explicit copying.
BRANCH=none
BUG=b:299965578
TEST=ran the following commands in ./scripts:
$ mkdir keys
$ cd keys
$ ../keygeneration/make_arv_root.sh
$ ../keygeneration/create_new_keys.sh --output Nissa
This resulted in creation of directory ./scripts/keys/Nissa with
all generated keys and the AP RO verification root public key copy.
Then ran sign_official_build.sh using Nissa recovery image and the
keys/Nissa directory as inputs, observed successful AP firmware
signing, including signing of RO_GSCVD sections.
Then successfully ran ./tests/futility/test_gscvd.sh
Change-Id: Ic024ccdcdcb751be677934bf559c40b2826c714e
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4058180
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Jason Clinton <jclinton@chromium.org>
Diffstat (limited to 'tests')
-rw-r--r-- | tests/ApRoV1Signing-PreMP/arv_root.vbprivk (renamed from tests/devkeys/arv_root.vbprivk) | bin | 2358 -> 2358 bytes |
-rw-r--r-- | tests/ApRoV1Signing-PreMP/arv_root.vbpubk | bin | 0 -> 1064 bytes |
2 files changed, 0 insertions, 0 deletions
diff --git a/tests/devkeys/arv_root.vbprivk b/tests/ApRoV1Signing-PreMP/arv_root.vbprivk Binary files differindex 7747717a..7747717a 100644 --- a/tests/devkeys/arv_root.vbprivk +++ b/tests/ApRoV1Signing-PreMP/arv_root.vbprivk diff --git a/tests/ApRoV1Signing-PreMP/arv_root.vbpubk b/tests/ApRoV1Signing-PreMP/arv_root.vbpubk Binary files differnew file mode 100644 index 00000000..aebe2a48 --- /dev/null +++ b/tests/ApRoV1Signing-PreMP/arv_root.vbpubk |